Authentication, authorization, and accounting (AAA) is an architectural framework used for providing secure access to network devices and resources. AAA is comprised of the three independent but related functions of authentication, authorization, and accounting.
Authentication is the process of identifying and authenticating a user. Within the AAA framework, authentication occurs when a user passes appropriate user credentials to an AAA server, and requests that the server authenticate the user. The AAA server will attempt to validate the credentials, and respond with either an accept or deny message. Remote users typically use AAA authentication to control access to a network device such as a router or Network Access Server (NAS), or to control access to network resources.
Authorization is used for permitting predefined rights or privileges to a user, group of users, system, or a process. Within the AAA framework, a client queries the AAA server to determine what actions a user is authorized to perform. The AAA server returns a set of attribute-value (AV) pairs that defines the user's authorization. The client is then responsible for enforcing user access control based on those AV pairs. AAA authorization is typically used to provide authorization for actions attempted while logged into a network device or to provide authorization for attempts to use network services.
Accounting is a method which records (or accounts) the who, what, when, and where of an action that has taken place. Accounting enables tracking of the services that users are accessing and the amount of resources they are consuming. This data can later be used for accountability, network management, billing, auditing, and reporting purposes. Within the AAA framework, the client sends accounting records that include accounting AV pairs to the AAA server for centralized storage. An accounting record is comprised of accounting AV pairs
One protocol used for providing authentication services is Remote Access Dial-In User Service (RADIUS) protocol. The RADIUS protocol is a client/server protocol, wherein the client is typically Network Accessed Storage (NAS), a router or a switch, which requests a service such as authentication or authorization from the RADIUS server. When authorization information is needed by the client, the RADIUS server is queried by the client and passes the user credentials to the designated RADIUS server. The server then acts on the configuration information necessary for the client to deliver services to the user. A RADIUS server can also act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Another protocol used for providing authentication services is known as Extensible Authentication Protocol (EAP). EAP is a general protocol for authentication that also supports multiple authentication methods. In wireless communications using EAP, a user requests connection to a wireless local area network (WLAN) through an access point (AP) which requests the identity of the user and transmits that identity to an authentication server such as a RADIUS server. The server asks the AP for proof of identity, which the AP gets from the user and then sends back to the server to complete the authentication.
Yet another protocol used for providing authentication services is known as Protected Extensible Authentication Protocol (PEAP). PEAP authenticates WLAN clients using server-side digital certificates by creating an encrypted tunnel between the client and the authentication server. The tunnel then protects the subsequent user authentication exchange.